46563d7a08ec151c3257b511d82690b3dcaebfee4cdc2f8200e02bd5f86b7707

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Size

216KB
MD5

aa0e28ed0a69f03b99c8fbe84b24f7d2
SHA1

a4f3e1c9535483fb74480c755d89dfc5743724c3
SHA256

46563d7a08ec151c3257b511d82690b3dcaebfee4cdc2f8200e02bd5f86b7707
SHA512

13df4711cb0bc14d3a3b6c3664239242334abbf7174327339a291fc5bb2fc159dc4bd0faa7235cf3416a26cf4655845ff191635e43e1ea7e6b3c91fa62f00e8b
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023376-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023377-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023412-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023412-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340b-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002340f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340b-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53733DCA-7DF1-404c-974A-7653EC0B6194}\stubpath = "C:\\Windows\\{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe"	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9F2B90A-DEC4-40fc-8504-087283260509}	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC23496E-3225-46dc-B104-9C889B558102}	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA530EA3-7FDF-492d-8335-341CE9E789E8}\stubpath = "C:\\Windows\\{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe"	{AC23496E-3225-46dc-B104-9C889B558102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA36F7B-C087-4893-930F-0847F20DF731}\stubpath = "C:\\Windows\\{7EA36F7B-C087-4893-930F-0847F20DF731}.exe"	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53733DCA-7DF1-404c-974A-7653EC0B6194}	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA2465D-7008-4fa7-AEBD-74958717F66D}\stubpath = "C:\\Windows\\{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe"	{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}\stubpath = "C:\\Windows\\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe"	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA530EA3-7FDF-492d-8335-341CE9E789E8}	{AC23496E-3225-46dc-B104-9C889B558102}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}\stubpath = "C:\\Windows\\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe"	{A839767C-A425-4213-8403-B20BB982481F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECAE539-121C-44ea-80A3-F5502248B1AD}	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECAE539-121C-44ea-80A3-F5502248B1AD}\stubpath = "C:\\Windows\\{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe"	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9F2B90A-DEC4-40fc-8504-087283260509}\stubpath = "C:\\Windows\\{B9F2B90A-DEC4-40fc-8504-087283260509}.exe"	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}\stubpath = "C:\\Windows\\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe"	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA36F7B-C087-4893-930F-0847F20DF731}	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A839767C-A425-4213-8403-B20BB982481F}	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}	{A839767C-A425-4213-8403-B20BB982481F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A839767C-A425-4213-8403-B20BB982481F}\stubpath = "C:\\Windows\\{A839767C-A425-4213-8403-B20BB982481F}.exe"	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}\stubpath = "C:\\Windows\\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe"	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC23496E-3225-46dc-B104-9C889B558102}\stubpath = "C:\\Windows\\{AC23496E-3225-46dc-B104-9C889B558102}.exe"	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA2465D-7008-4fa7-AEBD-74958717F66D}	{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe

Executes dropped EXE 11 IoCs

pid	Process
3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe
4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
4464	{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe
4628	{A839767C-A425-4213-8403-B20BB982481F}.exe
4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
4936	{B9F2B90A-DEC4-40fc-8504-087283260509}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AC23496E-3225-46dc-B104-9C889B558102}.exe	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
File created	C:\Windows\{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	{AC23496E-3225-46dc-B104-9C889B558102}.exe
File created	C:\Windows\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
File created	C:\Windows\{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
File created	C:\Windows\{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
File created	C:\Windows\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	{A839767C-A425-4213-8403-B20BB982481F}.exe
File created	C:\Windows\{B9F2B90A-DEC4-40fc-8504-087283260509}.exe	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
File created	C:\Windows\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
File created	C:\Windows\{A839767C-A425-4213-8403-B20BB982481F}.exe	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
File created	C:\Windows\{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
File created	C:\Windows\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
Token: SeIncBasePriorityPrivilege	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
Token: SeIncBasePriorityPrivilege	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe
Token: SeIncBasePriorityPrivilege	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
Token: SeIncBasePriorityPrivilege	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
Token: SeIncBasePriorityPrivilege	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
Token: SeIncBasePriorityPrivilege	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
Token: SeIncBasePriorityPrivilege	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe
Token: SeIncBasePriorityPrivilege	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
Token: SeIncBasePriorityPrivilege	2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 3536	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	91
PID 4180 wrote to memory of 3536	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	91
PID 4180 wrote to memory of 3536	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	91
PID 4180 wrote to memory of 60	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	92
PID 4180 wrote to memory of 60	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	92
PID 4180 wrote to memory of 60	4180	2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe	92
PID 3536 wrote to memory of 3472	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	93
PID 3536 wrote to memory of 3472	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	93
PID 3536 wrote to memory of 3472	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	93
PID 3536 wrote to memory of 2356	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	94
PID 3536 wrote to memory of 2356	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	94
PID 3536 wrote to memory of 2356	3536	{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe	94
PID 3472 wrote to memory of 3096	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	97
PID 3472 wrote to memory of 3096	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	97
PID 3472 wrote to memory of 3096	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	97
PID 3472 wrote to memory of 2680	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	98
PID 3472 wrote to memory of 2680	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	98
PID 3472 wrote to memory of 2680	3472	{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe	98
PID 3096 wrote to memory of 4396	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	100
PID 3096 wrote to memory of 4396	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	100
PID 3096 wrote to memory of 4396	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	100
PID 3096 wrote to memory of 5032	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	101
PID 3096 wrote to memory of 5032	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	101
PID 3096 wrote to memory of 5032	3096	{AC23496E-3225-46dc-B104-9C889B558102}.exe	101
PID 4396 wrote to memory of 1772	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	102
PID 4396 wrote to memory of 1772	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	102
PID 4396 wrote to memory of 1772	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	102
PID 4396 wrote to memory of 2492	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	103
PID 4396 wrote to memory of 2492	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	103
PID 4396 wrote to memory of 2492	4396	{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe	103
PID 1772 wrote to memory of 2748	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	104
PID 1772 wrote to memory of 2748	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	104
PID 1772 wrote to memory of 2748	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	104
PID 1772 wrote to memory of 4444	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	105
PID 1772 wrote to memory of 4444	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	105
PID 1772 wrote to memory of 4444	1772	{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe	105
PID 2748 wrote to memory of 4464	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	106
PID 2748 wrote to memory of 4464	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	106
PID 2748 wrote to memory of 4464	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	106
PID 2748 wrote to memory of 4352	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	107
PID 2748 wrote to memory of 4352	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	107
PID 2748 wrote to memory of 4352	2748	{7EA36F7B-C087-4893-930F-0847F20DF731}.exe	107
PID 3028 wrote to memory of 4628	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	110
PID 3028 wrote to memory of 4628	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	110
PID 3028 wrote to memory of 4628	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	110
PID 3028 wrote to memory of 3608	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	111
PID 3028 wrote to memory of 3608	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	111
PID 3028 wrote to memory of 3608	3028	{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe	111
PID 4628 wrote to memory of 4716	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	112
PID 4628 wrote to memory of 4716	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	112
PID 4628 wrote to memory of 4716	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	112
PID 4628 wrote to memory of 3456	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	113
PID 4628 wrote to memory of 3456	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	113
PID 4628 wrote to memory of 3456	4628	{A839767C-A425-4213-8403-B20BB982481F}.exe	113
PID 4716 wrote to memory of 2392	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	114
PID 4716 wrote to memory of 2392	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	114
PID 4716 wrote to memory of 2392	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	114
PID 4716 wrote to memory of 4412	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	115
PID 4716 wrote to memory of 4412	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	115
PID 4716 wrote to memory of 4412	4716	{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe	115
PID 2392 wrote to memory of 4936	2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe	116
PID 2392 wrote to memory of 4936	2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe	116
PID 2392 wrote to memory of 4936	2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe	116
PID 2392 wrote to memory of 5028	2392	{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_aa0e28ed0a69f03b99c8fbe84b24f7d2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
  C:\Windows\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
    C:\Windows\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\{AC23496E-3225-46dc-B104-9C889B558102}.exe
      C:\Windows\{AC23496E-3225-46dc-B104-9C889B558102}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
        
        C:\Windows\{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
        
        C:\Windows\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
        
        C:\Windows\{7EA36F7B-C087-4893-930F-0847F20DF731}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe
        
        C:\Windows\{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
        
        C:\Windows\{7BA2465D-7008-4fa7-AEBD-74958717F66D}.exe
        9⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{A839767C-A425-4213-8403-B20BB982481F}.exe
        
        C:\Windows\{A839767C-A425-4213-8403-B20BB982481F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
        
        C:\Windows\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
        
        C:\Windows\{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{B9F2B90A-DEC4-40fc-8504-087283260509}.exe
        
        C:\Windows\{B9F2B90A-DEC4-40fc-8504-087283260509}.exe
        13⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BECAE~1.EXE > nul
        13⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9584A~1.EXE > nul
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8397~1.EXE > nul
        11⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BA24~1.EXE > nul
        10⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53733~1.EXE > nul
        9⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EA36~1.EXE > nul
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383C2~1.EXE > nul
        7⤵
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA530~1.EXE > nul
        6⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC234~1.EXE > nul
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ECD57~1.EXE > nul
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{808E3~1.EXE > nul
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{383C2510-EEF7-47c3-BD10-EE3A39946A2B}.exe

Filesize
216KB

MD5
b1c9aecd462d1e5a4581fea6ffbbec21

SHA1
d774ca1bdfaf4e2d2690cf15039876b6f2e7506c

SHA256
f8bb814e403a18e9166a93cc313055b53b59c1429d0ff231edaa0d2bc0d3ab73

SHA512
1ce025b77710227079d371c59adc5e6c1947c8d0311f3951f6df89498c037c28e5b8d34db2e9a041339ec9537332725f356fed492fe8ef7f63f71e3ddf14daa8

Download Submit
C:\Windows\{53733DCA-7DF1-404c-974A-7653EC0B6194}.exe

Filesize
216KB

MD5
6d3ff4c47c34cc61df7c9c467a2f3780

SHA1
4bba2d248b5f93fa76b4146e2e556f38a95ee86b

SHA256
887030806cbf7392acf1ac673d1aac9dfb2ddadd82b46b46b0230c2ce2bcae40

SHA512
2893c1dd371e3780fdec8cb3200595120da1cf3db7a14ba712050bc6ce9a9051816d42a5296bef90b99be39f687d87c5a6fbc2d6013a58b142d38e6a3d2e8a39

Download Submit
C:\Windows\{7EA36F7B-C087-4893-930F-0847F20DF731}.exe

Filesize
216KB

MD5
63e9239b3af870445970c8812333c6ee

SHA1
72f6310f1e50773693375bd559fa31c09a516628

SHA256
e778135aadb6c247561ff00329602ca16e4507df1405cfe2be216c4d47813c1b

SHA512
343693a17927fc37e58d58ba3c947675641e4048e99c1164f4f72197380418273c936a91ca99575eaece260156ff9897aa32c18ce571413b1606336941f5ea4b

Download Submit
C:\Windows\{808E3E4A-50B7-4fa0-8218-2FBE4CA2F671}.exe

Filesize
216KB

MD5
3ee9ad8ac51e6137a04240decff1162e

SHA1
a86218a36550ff6a7e4f3b5b6ef2b2992dbe709b

SHA256
65ae834d2f1001a31e4f4fb3e3e64cd12d22d70234341a78950de1720f007264

SHA512
b744386621b523a125adc809b1f6a84ff0933803af69b978ff8d53357aced2cf6a87abbde2f5c28af2d5d071a2736e99a8b412381d250d32b7e0140eec9235b9

Download Submit
C:\Windows\{9584A42B-C889-43b4-BAF9-69E4C017D6D0}.exe

Filesize
216KB

MD5
e4d74663441f03c2cf83d0cd21553b88

SHA1
c1baa5799929c6a896c98f96f328269f31d6a54b

SHA256
dbc6569dd1da5dfdefb63c7f051b24c3c8fee55f02b6c573f0367015cc137061

SHA512
341f5ff2945d74e830c46b7165b7d735a9a97b36026c488cfc9c595a461a595e575627f7b8deb24fd0921ff28a14f9418c241933a09f7b09950afa708e159677

Download Submit
C:\Windows\{A839767C-A425-4213-8403-B20BB982481F}.exe

Filesize
216KB

MD5
0f60a8529ebe66e5c1a1b7af9dbd47ef

SHA1
0e12adfe1f6d1b5c7e42fa724b1898c3f9853c20

SHA256
1cf0bb1cd75e97fa6c3639a0eb082cd756753d6733c4d03386bd5c9615556dfc

SHA512
0bbd1cdb64d83591692dc0675d3b2e2947c45fc4affc42737b9fdc95ee43648652c27ebcd58e59abf69ff010098f9850f18dc647085bd5cd822189998a6471aa

Download Submit
C:\Windows\{AC23496E-3225-46dc-B104-9C889B558102}.exe

Filesize
216KB

MD5
a04f5485a7b638b2e3857051636844dd

SHA1
08f449d2770500723f50a8bb9ada367b2cd61464

SHA256
a090aad18d95c668ea343650b1aee4f37e803931a321f61232c5ef2c0547dd4e

SHA512
6bdb0a9031658205d27051233ca0fb14606b683ae762cd15d089b653981e7dfe75fd7273d31589cee4ec5bdf0fd6c11c3887e943249031eee8d2bb6ca43264c5

Download Submit
C:\Windows\{B9F2B90A-DEC4-40fc-8504-087283260509}.exe

Filesize
216KB

MD5
f0882be4db032b8b848a8eb248c6e198

SHA1
13a48f9645384568e9d3161f36617992da9f3986

SHA256
d99b391049769a95266371c90780509c8c45aab0ae0d0f3fa172400d7f4d04f9

SHA512
86e5d4bbc8086b01351323e58b461599fe81f9749ea2b9c90630b9b2db31e7f1cae23df4ef77ef1622fa4e5f58a81922b1e030edd072459692ae63f6d0136e7d

Download Submit
C:\Windows\{BA530EA3-7FDF-492d-8335-341CE9E789E8}.exe

Filesize
216KB

MD5
883809d0a91cd414c80e58d55d85dfdd

SHA1
c19c9dda6edda3ab08d19fb22d3f679010493920

SHA256
a4cf1721e8fc9f8905a4bdcb0136c9f601c4f6e8514856d0ed34c7101f7019df

SHA512
905b3a93a91d6ce91afeebfe7456a2776a69c7049cf872484ac8c238e50e6dd2f3e2beab3535add5fe3ed17bddc182094a0b9b623109250a7327b6584b320ddf

Download Submit
C:\Windows\{BECAE539-121C-44ea-80A3-F5502248B1AD}.exe

Filesize
216KB

MD5
3e7563fe1b8843470331f55258f9df9b

SHA1
90b273551045582cd8923eacf3c49cc00373ce1f

SHA256
bbc7cfdc5dd9db9d0f3c4214c813f7fba6c60090710ccd2df76a5df182685fc4

SHA512
9709b79a05cae7c02fa22934bb33b7d4b639540a13b735ce2a996133d30f58806e0cbf7f265fd7ce6d5a5e8078cd11b8fe3cd6e4c4a6fbb04f37bd145ca96942

Download Submit
C:\Windows\{ECD5723E-8C7B-4a1f-86F0-7DEAEA5E277A}.exe

Filesize
216KB

MD5
4d393db92af75741cdb0584d62725ed6

SHA1
88a4bc859cb24e352bc6d0eec411478784a5aa9e

SHA256
ddd550ac877fc565456a14b1980d53b47722a860dc16d8e3b19b2c114af0d2df

SHA512
4032ee0ad0ac0e4bfef69ed6d0c1e8b22ba1d30aa67ad5ade623ded4ee730b710c3cba7fc9defaf13ea7b4231b062f9765e6d1b9f4a1a980cded069a573d2509

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads